Wait, We Did All This Work to Implement MFA, and Threat Actors Can Readily Bypass It?  

Multifactor Authentication (MFA) is supposed to protect our networks. And it does in many respects, but it is not a failsafe or a crutch to be relied upon in a standalone way. With its popularity and reputation as a fix-all, a casual observer may come to the reasonable conclusion that having MFA in place provides a reliably secure way to protect ourselves digitally. And the data demonstrates that MFA delivers protection. By requiring users to provide multiple forms of verification – typically something they know (e.g., a password) and something they have (e.g., a smartphone or token) – MFA significantly bolsters the resilience of authentication mechanisms, thwarting many traditional cyber threats.

MFA has significant value. There is no doubt about it. However, there are ways that threat actors can bypass MFA, and this article will discuss a specific example of how this can happen. From the interception of financial transactions to the exfiltration of confidential information, the ramifications of attacks that bypass MFA extend far beyond data breaches.

Organizations must recognize the evolving tactics of adversaries and remain committed to safeguarding their digital assets. Heightened awareness, robust security protocols and continuous monitoring are essential components of a proactive defense strategy against attacks that can subvert our most relied-upon cybersecurity tools.

This article provides an example of the surprising nature of cyber-attacks that bypass MFA, discussing how this method can benefit threat actors and the implications for cybersecurity stakeholders. By shedding light on this readily available tool for threat actors, we aim to remind them that an intrusion can occur when defenses are let down momentarily while reinforcing the importance of testing processes and regular cybersecurity training for employees.

To level set, here is a definition of Multifactor Authentication (MFA):

1. Type 1: Something you know (a password, for example)
2. Type 2: Something you have (a code that is texted to you or, better, a code or key you access through an application)
3. Type 3: Something you are (biometrics signature on your phone)

Multifactor means more than one of the above.

And as noted above, MFA is successful in preventing attacks. Jen Easterly, the head of CISA, the Cybersecurity and Infrastructure Security Agency housed within the Department of Homeland Security, noted that implementing MFA can make you 99% less likely to get hacked.

A recent study based on real-world attack data from Microsoft Entra found that MFA reduces the risk of compromise by 99.2 percent. This statistic is from the Microsoft Digital Defense Report published in October 2023 and lists the following web reference:

https://arxiv.org/abs/2305.00945

Taking those quotes into consideration, MFA is not impenetrable. If you break down how a threat actor can bypass MFA into its parts, it is hard not to be surprised by how easily a motivated and unauthorized user can access an individual’s Microsoft account, for example.

We will describe a threat actor tactic called Adversary-in-the-Middle or AiTM, which can be applied to any web interface a user logs into. We’ll use a Microsoft account as an example because of its popularity within many businesses’ digital ecosystems. Our goal is to provide awareness of this type of attack to avoid it or at least recognize it if (when?) it is attempted against us or our organizations. A threat actor implementing AiTM, sometimes called MiTM or Man in The Middle, has an opposing goal of:

1. Stealing a user’s legitimate password
2. Copying or imitating the login page that a user would use to gain access to their account
3. Bypassing MFA or putting the threat actor in between the target and their system to steal authentication methods
4. Starting a session where the threat actor has access to email and all applications via Microsoft, for example
5. Evade detection and log in repeatedly without triggering another MFA prompt. An MFA prompt would be a dead giveaway that something is awry

How, specifically, does a threat actor gain access to someone’s environment?

1. The dark web provides access to very inexpensive software that can help the adversary do most everything it wants. This software is sold for as little as $10, for example. Proxying the Microsoft environment is the key. This means that the attacker sets up a fake website that closely resembles a legitimate website that the victim may visit, such as a Microsoft login page.
2. The threat actor needs to get the user to click the link, enter their password, and authenticate the session. Typically, this is done via a phishing email requesting access to a Word Document, Excel Spreadsheet or even a One Note document. These types of malicious emails could be sent requesting the user to access a banking site, social media platform or online service. Once the user clicks the link, a login sequence is prompted. This email may look legitimate (it could be spoofed or a legitimate email address that has been compromised), and the graphics on the page look identical to Microsoft’s because they are. The web address may look sketchy, but the malicious proxy software the threat actor used allows them to clone the look and capability of the Microsoft login and site.
3. Because the threat actor controls the proxy site, they can access cookies from the real user’s login. The threat actor can then use that cookie to access the user’s session as if they were the user themselves. The cookie is a Text file stored on a computer. It contains relevant information for the online services users would access on their computers. It contains a unique ID for your computer, session information, credentials (sometimes) and other identifying information. This allows a user to avoid entering a username and password every time they access a website but can also allow a threat actor the same advantage if they know how to use simple web tools.
4. Once the user engages with the threat actor’s malicious link, the threat actor has a link to a cookie to access the user’s Microsoft environment as if THEY were the user. No password or MFA prompt is required. One-time passwords through SMS are fairly weak because once a session is authenticated, the threat actor can access the user’s environment while using tactics to mask this access.
5. The user has gained normal access to their Microsoft account and continues to access their Microsoft environment normally, so the legitimate user is none the wiser. The adversary takes the cookie link and puts it into a fresh web browser, which recreates access to the user’s Microsoft account. No username or password is required. The user now has access to email and all applications via Microsoft.

How could this have been avoided?

1. Check the web address to ensure it looks legitimate, and don’t click the link in the first place! This is the best way to avoid these issues.
2. See additional protections below:

Protecting against Man-in-the-Middle (MitM) attacks involves several measures to prevent adversaries from intercepting and manipulating communications between parties. Here’s how you can protect against Adversary-in-the-Middle attacks:

1.    Use HTTPS: Ensure that your web applications and services use HTTPS (HTTP Secure) for encrypted communication over the internet. HTTPS encrypts data in transit, making it difficult for attackers to intercept and manipulate.
2.    Certificate Validation: Implement strong certificate validation mechanisms to verify the authenticity of SSL/TLS certificates presented by servers during the handshake process. This helps prevent attackers from using forged or compromised certificates to intercept traffic.
3.    Public Key Infrastructure (PKI): Implement a robust PKI framework to manage digital certificates securely. Use trusted Certificate Authorities (CAs) to issue and validate certificates for servers and clients.
4.    HSTS (HTTP Strict Transport Security): Enable HSTS on your web servers to enforce the use of HTTPS for all communication with clients. HSTS instructs web browsers to only connect to the server over HTTPS, reducing the risk of downgrade attacks.
5.    Secure Wi-Fi Networks: Secure Wi-Fi networks with strong encryption protocols such as WPA2 or WPA3. Avoid using open or unsecured Wi-Fi networks, especially for sensitive transactions.
6.    VPN (Virtual Private Network): Use VPNs to establish secure, encrypted tunnels for remote access and communication. VPNs protect against MitM attacks by encrypting traffic between endpoints and ensuring data confidentiality and integrity.
7.    Network Segmentation: Segment your network into separate zones with access controls and firewalls to limit the scope of potential MitM attacks. Restrict access to sensitive network resources and implement strict authentication mechanisms.
8.    Strong Authentication: Implement multifactor authentication (MFA) to strengthen authentication processes and prevent unauthorized access to sensitive systems and data. MFA adds an extra layer of security by requiring users to provide multiple forms of authentication.
9.    Security Awareness Training: Educate users about the risks of MitM attacks and provide training on recognizing and avoiding suspicious activities, such as clicking on untrusted links or entering credentials on unsecured websites.
10. Continuous Monitoring: Monitor network traffic and behavior for signs of suspicious activity or anomalies that may indicate a MitM attack in progress. Implement intrusion detection and prevention systems (IDPS) to detect and respond to threats in real time.

Cybersecurity implementations work in many situations, but there are almost always workarounds that skilled threat actors can employ to foil a cybersecurity team’s best efforts. This goes back to user training as the key to protecting against these scenarios. Having a culture of vigilance and the ability to access logs so the cybersecurity professionals can determine whether an unauthorized user has accessed an account and to what extent.

It may seem obvious, but here is an example of what a threat actor can do when accessing a user’s account.

• The key is that once you click their link and provide credentials, they are in control and will gain user access through a session token or cookie access.
• They will likely go straight to the email account to read sensitive transmissions while marking emails unread so as not to tip off the actual account user. They will search for terms like:
  • Invoice
  • Payment
  • Email addresses for vendors, customers or internal financial roles like CFO
  • Looking through inboxes for transactions
• The threat actor will set up mail forwarding rules and obscure their presence.
• Emails from people engaged in the transactions are forwarded to the RSS Feeds folder and marked read where people wouldn’t normally check for emails. This way, the actual user has no idea these emails exist, and the threat actor can take over the lines of communication.
• Threat actors will use Generative Artificial Intelligence platforms to curate and mimic the written language in the emails threat actors are monitoring.
• They will ideally (for them) insert themselves in a financial transaction with a counterparty making or requesting payment.
• They will also create falsified documents/invoices and spoof an email address to send them engaging in curated banter to provide the counterparty a false sense of security.

We have discussed some strategies, but here are countermeasures that companies and their security teams can implement to thwart or detect this fraudulent behavior.

• O365 Microsoft Defender has the capability to notify the legitimate user of discrepancies in account usage. However, the administrator has to set the notifications up. Discrepancies include:
  • Impossible travel activity
  • Activity from infrequently visited countries or regions
  • Suspicious inbox rule manipulation
• Turn on logging.
• Monitor the logs effectively.
  • Outsourcing the monitoring of the Microsoft tenant is a good idea. You have to actively turn this on, and your level of access depends on the type of Microsoft License you have. Ideally, you can have monitoring 24 hours a day on weekends and holiday coverage.
• Once you know or suspect an intrusion, alert your support teams and Cyber Insurance provider if you have coverage while also turning on a litigation hold in the affected mailbox. This will help you preserve emails, even if the threat actor has deleted them and purged the mailbox.

We wrote this article to specifically show how a threat actor can access a system bypassing MFA while emphasizing the importance of a robust cybersecurity program with a significant training component. MFA is an important protection that has gained much praise. Still, it’s not  impenetrable and becomes more effective when combined with additional cybersecurity measures and robust employee training in the overall cybersecurity strategy. Threats are always out there and always evolving to defeat cybersecurity measures, so defense and awareness need to be stepped up continuously.

For more information talk to a cyber expert today.